Update RPC-LSA to (almost) pass against Windows 2008.
[kai/samba.git] / source / torture / rpc / lsa.c
index 4fb459ea2564237ad266041a8ef7bf5f6c0e7fff..98cbf12e6879958f43255dbf9547f125107c93a5 100644 (file)
@@ -614,7 +614,8 @@ bool test_many_LookupSids(struct dcerpc_pipe *p,
                if (!test_LookupNames(p, mem_ctx, handle, &names)) {
                        return false;
                }
-       } else {
+       } else if (p->conn->security_state.auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
+                  p->conn->security_state.auth_info->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY) {
                struct lsa_LookupSids3 r;
                struct lsa_TransNameArray2 names;
 
@@ -884,6 +885,26 @@ static bool test_Delete(struct dcerpc_pipe *p,
 
        r.in.handle = handle;
        status = dcerpc_lsa_Delete(p, mem_ctx, &r);
+       if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+               printf("Delete should have failed NT_STATUS_NOT_SUPPORTED - %s\n", nt_errstr(status));
+               return false;
+       }
+
+       return true;
+}
+
+static bool test_DeleteObject(struct dcerpc_pipe *p, 
+                             TALLOC_CTX *mem_ctx, 
+                             struct policy_handle *handle)
+{
+       NTSTATUS status;
+       struct lsa_DeleteObject r;
+
+       printf("testing DeleteObject\n");
+
+       r.in.handle = handle;
+       r.out.handle = handle;
+       status = dcerpc_lsa_DeleteObject(p, mem_ctx, &r);
        if (!NT_STATUS_IS_OK(status)) {
                printf("Delete failed - %s\n", nt_errstr(status));
                return false;
@@ -912,7 +933,19 @@ static bool test_CreateAccount(struct dcerpc_pipe *p,
        r.out.acct_handle = &acct_handle;
 
        status = dcerpc_lsa_CreateAccount(p, mem_ctx, &r);
-       if (!NT_STATUS_IS_OK(status)) {
+       if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_COLLISION)) {
+               struct lsa_OpenAccount r_o;
+               r_o.in.handle = handle;
+               r_o.in.sid = newsid;
+               r_o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+               r_o.out.acct_handle = &acct_handle;
+               
+               status = dcerpc_lsa_OpenAccount(p, mem_ctx, &r_o);
+               if (!NT_STATUS_IS_OK(status)) {
+                       printf("OpenAccount failed - %s\n", nt_errstr(status));
+                       return false;
+               }
+       } else if (!NT_STATUS_IS_OK(status)) {
                printf("CreateAccount failed - %s\n", nt_errstr(status));
                return false;
        }
@@ -921,6 +954,10 @@ static bool test_CreateAccount(struct dcerpc_pipe *p,
                return false;
        }
 
+       if (!test_DeleteObject(p, mem_ctx, &acct_handle)) {
+               return false;
+       }
+
        return true;
 }
 
@@ -948,6 +985,10 @@ static bool test_DeleteTrustedDomain(struct dcerpc_pipe *p,
                return false;
        }
 
+       if (!test_DeleteObject(p, mem_ctx, &trustdom_handle)) {
+               return false;
+       }
+
        return true;
 }
 
@@ -986,7 +1027,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
        struct lsa_SetSecret r7;
        struct lsa_QuerySecret r8;
        struct policy_handle sec_handle, sec_handle2, sec_handle3;
-       struct lsa_Delete d;
+       struct lsa_DeleteObject d_o;
        struct lsa_DATA_BUF buf1;
        struct lsa_DATA_BUF_PTR bufp1;
        struct lsa_DATA_BUF_PTR bufp2;
@@ -1245,35 +1286,16 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
                        if (!r8.out.new_val || !r8.out.old_val) {
                                printf("in/out pointers not returned, despite being set on in for QuerySecret\n");
                                ret = false;
-                       } else if (r8.out.new_val->buf == NULL) {
-                               if (i != LOCAL) { 
-                                       printf("NEW secret buffer not returned after GLOBAL OLD set\n");
-                                       ret = false;
-                               }
+                       } else if (r8.out.new_val->buf != NULL) {
+                               printf("NEW secret buffer must not be returned after OLD set\n");
+                               ret = false;
                        } else if (r8.out.old_val->buf == NULL) {
-                               printf("OLD secret buffer not returned after OLD set\n");
+                               printf("OLD secret buffer was not returned after OLD set\n");
                                ret = false;
                        } else if (r8.out.new_mtime == NULL || r8.out.old_mtime == NULL) {
                                printf("Both times not returned after OLD set\n");
                                ret = false;
                        } else {
-                               if (i == LOCAL) { 
-                                       printf("NEW secret buffer should not be returned after LOCAL OLD set\n");
-                                       ret = false;
-                               }
-                               blob1.data = r8.out.new_val->buf->data;
-                               blob1.length = r8.out.new_val->buf->length;
-                               
-                               blob2 = data_blob_talloc(mem_ctx, NULL, blob1.length);
-                               
-                               secret6 = sess_decrypt_string(mem_ctx,
-                                                             &blob1, &session_key);
-                               
-                               if (strcmp(secret3, secret4) != 0) {
-                                       printf("Returned NEW secret '%s' doesn't match '%s'\n", secret4, secret3);
-                                       ret = false;
-                               }
-
                                blob1.data = r8.out.old_val->buf->data;
                                blob1.length = r8.out.old_val->buf->size;
                                
@@ -1287,14 +1309,7 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
                                        ret = false;
                                }
                                
-                               if (*r8.out.new_mtime == *r8.out.old_mtime) {
-                                       if (i != GLOBAL) { 
-                                               printf("Returned secret %s had same mtime for both secrets: %s\n", 
-                                                      secname[i],
-                                                      nt_time_string(mem_ctx, *r8.out.new_mtime));
-                                               ret = false;
-                                       }
-                               } else {
+                               if (*r8.out.new_mtime != *r8.out.old_mtime) {
                                        printf("Returned secret %s should have had same mtime for both secrets: %s != %s\n", 
                                               secname[i],
                                               nt_time_string(mem_ctx, *r8.out.old_mtime),
@@ -1308,8 +1323,13 @@ static bool test_CreateSecret(struct dcerpc_pipe *p,
                        ret = false;
                }
                
-               d.in.handle = &sec_handle2;
-               status = dcerpc_lsa_Delete(p, mem_ctx, &d);
+               if (!test_DeleteObject(p, mem_ctx, &sec_handle)) {
+                       return false;
+               }
+
+               d_o.in.handle = &sec_handle2;
+               d_o.out.handle = &sec_handle2;
+               status = dcerpc_lsa_DeleteObject(p, mem_ctx, &d_o);
                if (!NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
                        printf("Second delete expected INVALID_HANDLE - %s\n", nt_errstr(status));
                        ret = false;
@@ -1454,9 +1474,9 @@ static bool test_EnumAccounts(struct dcerpc_pipe *p,
                        return false;
                }
 
-               if (!test_LookupSids3(p, mem_ctx, &sids1)) {
-                       return false;
-               }
+               /* Can't test lookupSids3 here, as clearly we must not
+                * be on schannel, or we would not be able to do the
+                * rest */
 
                printf("testing all accounts\n");
                for (i=0;i<sids1.num_sids;i++) {
@@ -1667,8 +1687,8 @@ static bool test_query_each_TrustDom(struct dcerpc_pipe *p,
                struct policy_handle handle2;
                struct lsa_Close c;
                struct lsa_CloseTrustedDomainEx c_trust;
-               int levels [] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12};
-               int ok[]      = {1, 0, 1, 0, 0, 1, 0, 1, 0,  0,  0,  1};
+               int levels [] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13};
+               int ok[]      = {1, 0, 1, 0, 0, 1, 0, 1, 0,  0,  0,  1, 1};
 
                if (domains->domains[i].sid) {
                        trust.in.handle = handle;
@@ -1912,8 +1932,6 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
                                       r_ex.in.max_size,
                                       LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER, 
                                       r_ex.in.max_size / LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER);
-                               ret = false;
-                               exit(1);
                        }
                } else if (!NT_STATUS_IS_OK(enum_status)) {
                        printf("EnumTrustedDomainEx failed - %s\n", nt_errstr(enum_status));
@@ -2311,11 +2329,9 @@ bool torture_rpc_lsa(struct torture_context *tctx)
                        ret = false;
                }
                
-#if 0
                if (!test_Delete(p, tctx, handle)) {
                        ret = false;
                }
-#endif
                
                if (!test_many_LookupSids(p, tctx, handle)) {
                        ret = false;